SNAT Based on Source and Destination

That can't be true citizen_elah. I already have similar rules/configurations. The only difference between this one and the other ones is that the others have a more specific VS, e.g. it is a wildcard destination but specific service and protocol. This one is a wildcard on everything ... destination, service, and protocol. I don't see how that would affect it but I would not place any bets either as I am not that familiar with the LTM internals.

 

 

Anyway, the good news is that I made progress.

 

 

First, I resolved my 'outbound traffic failing' problem by rearranging the rule a little as follows:

 

 

when CLIENT_ACCEPTED {

 

if { [matchclass [IP::client_addr] equals $::the_source_ip]} {

 

if { [matchclass [IP::local_addr] equals $::the_destination_ip]} {

 

snat 10.10.1.1

 

} else {

 

forward

 

}

 

}

 

}

 

 

Don't ask me why or how, but flipping the source and destination match clause positions and changing from an 'and' to multiple 'if' statements fixed it.

 

 

Second, I was still not getting any hits on the SNAT or any signs of live packets going in that direction. Just for fun I synchronized the config with the standby unit and went to test from it ... everything worked as expected. Then failed over the current Active unit and it is still working. Now I have to figure out what is wrong with the original Active unit that it works half way only. The curious thing is that all other configurations I have on it work fine and nobody is complaining or reporting any anomalies.